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Abstract: The notion of key generators is introduced to symmetric cryptography. Key generators help eliminate the 
dependence of a block cipher’s security on a single, static key. If one of the dynamic keys is leaked to the adversary, 
then this compromise does not reveal future keys and prior keys used by the block cipher to encrypt distinct blocks 
of plaintext. A practical, key generator updating algorithm is provided that enhances the cryptographic strength of 
block ciphers and in particular the AES block cipher. 
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1 Introduction 

Typically, cryptographic methods [1, 2, 3, 4, 5] im¬ 
ply or use a static key throughout the entire execution 
of the encryption algorithm. (Herein algorithm refers 
to any method that can be implemented with a Tur¬ 
ing machine [ 6 ].) In symmetric cryptography, the en¬ 
cryption and decryption use the same private key. For 
example, a block cipher algorithm £4 : { 0 , l} m x 
{0,1} K —*• {0, l} m uses an K-bit private key K as 
a parameter and encrypts an m-bit block of plaintext 
A4, denoted as £y,(A4. K). The block cipher’s key 
space {0,1} K has size 2 K . The block cipher’s message 
space {0, l} m has size 2 m . The decryption algorithm 
P4 : { 0 , 1 } TO x { 0 ,1} K — > { 0 , l} m has the inverse 
property that V^(£^(x, K), K) = x for every plain¬ 
text x € {0, l} m and every key K G {0,1} K . 

AES is a popular block cipher with block size 128 
bits, standardized by NIST [7, 8 ]. In recent years, 
various attacks on the AES cipher have demonstrated 
some weaknesses. Practical oracle padded attack [9] 
can capture the plaintext from ciphertext that has been 
encrypted by AES. At least paid of the weakness in 
AES is due to slow diffusion in the key scheduling 
[10, 11, 12]. A feasible attack on AES-256 has been 
demonstrated with only one fewer round, 13 rounds 
instead of 14, in the key schedule [13]. In [14], a 
cache-timing attack captured the static key in one day 
using 2 X 10 s (plaintext, ciphertext, time) 
triples. Additional attacks were also recently discov¬ 
ered [15, 16, 17, 18]. 

In prior methods, the static key assumption is im¬ 
plied by some attacks (cited in the previous paragraph, 
including the cache-timing attack) whose goal is to 
capture the key. In the algebraic embedding of AES 
in BES, the static key assumption is further implied 
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by the counting [19, 20] of the number of equations 
that the AES encryption satisfies. In another example, 
[ 21 ] demonstrates a generic attack on all block ciphers 
such that the time complexity for finding a static key 
of size k bits is 2 k (l — e), where e > 0 . 

This paper’s primary contribution introduces key 
generators to symmetric cryptography. A key gener¬ 
ator is defined as a sequence T : N —> {0, l} n . Key 
generators help eliminate the dependence of a block 
cipher’s security on a single, static key. In our algo¬ 
rithms 2 and 3, a new dynamic key is derived for each 
block of plaintext from the key generator so that the 
block cipher no longer depends upon a single, static 
key. Even if one of the dynamic keys is leaked to the 
adversary, then this compromise does not reveal prior 
keys and future keys used by the block cipher to en¬ 
crypt distinct blocks of plaintext. 

A second contribution defines a one-way preim¬ 
age function, based on our introduction of concrete 
complexity, and uses these functions to define a gen¬ 
eral key generator updating algorithm 1 and cryp¬ 
tographic algorithm 2. Algorithms 1 and 2 help 
strengthen the underlying block cipher: when a one¬ 
way preimage hash function with digest size q satis¬ 
fies our regularity condition and helps implement our 
key generator updating algorithm, the compromise of 
prior keys and future keys in algorithm 2 requires a 
preimage attack with complexity at least 2 n ~ q , where 
n > q. For appropriate values of q and n, this com¬ 
plexity 2 n ~ q can be substantially greater than the size 
of the keyspace, used by the underlying block cipher. 

Lastly, algorithm 3 contributes a practical instan¬ 
tiation of algorithm 2. Speed tests, presented in sec¬ 
tion 7, demonstrate the feasibility of key generators in 
modern cryptographic applications. 
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2 Key Generator Updating and 
Dynamic Key Derivation 

Key generator updating requires Alice and Bob agree¬ 
ing upon the next sequence element T(i) of key gen¬ 
erator T. Even though an uncountable number of key 
generators are Turing incomputable, herein our atten¬ 
tion is on computable key generators because com¬ 
putability helps simplify the coordination of updating 
between Alice and Bob. 

Our one-way preimage hash functions are not in¬ 
tended for message authentication. Consequently, in 
section 4, our formal definition does not include col¬ 
lision resistance. The reason for this is that the hash 
digest of ’f' in algorithm 2 is not readily available to 
Eve and that a collision does not provide a feasible 
method for Eve computing prior and future keys, as 
further explained in remark 22. With this in mind, the 
key generator updating and cryptography algorithms 
arc presented first. 

In key generator updating algorithm 1, <I> is a 
one-way preimage hash function with digest size q. 
T : N —y { 0 , l} n is a key generator such that n > q. 
The j th bit of T(z) is Tjj. Alice and Bob can es¬ 
tablish a shared element T( 0 ), by executing a signed, 
Diffie-Hellman-Merkle exchange with elliptic curves 
[22, 23, 24, 25]. (See Theorem 2.1 in [24] to establish 
shared secrets with n > 256.) 

Algorithm 1 Key Generator Updating 

Alice and Bob execute a signed, DHM 
exchange to establish a shared 0th 
sequence element T( 0 ) = I^o • • • To,n_i. 

Initialize i = 0 

while (next element T(i + 1 ) is requested) 

{ 

(Ti+1,0 • • ■ Tj + i ig _i) = $(r i)0 Tjg ... Tj )g _i) 

Set Tj +1 j = T itj for each j such that 
q < j < n — 1 

Increment i 

} 

Algorithm 1 is designed to generate a high dimen¬ 
sional orbit on the first q bits I',o Tpi ... i, in¬ 
duced by the avalanche properties [26] of function 4>; 
to keep the remaining n — q bits invariant for all /; and 
to assure that no information from the last n — q bits 
contributes to the orbit of the first q bits. In a typical 
case, the adversary Eve never has access to any bits 
of Alice’s r(i). This is analogous to Eve not having 
access to any bits of Alice’s static key, used in tradi¬ 
tional, symmetric cryptography. 

Algorithm 2 derives a dynamic key K, for block 
cipher A from each sequence element T(z) of the key 


generator. Let T be a one-way preimage hash func¬ 
tion whose digest size is r bits. T 1 hashes a con¬ 
catenation of the dynamic part T^o, T z ,i,... E; f/ _ ] of 
T(i) and the invariant pari T,:^- 1 ,... i in order 
to derive a distinct key K, for each block that is en¬ 
crypted. The expression £ A (M, K ) represents block 
cipher A encrypting plaintext block A4 with key K , 
and T>j\ (C, K) represents block cipher A decrypting 
ciphertext C with key K. The key size \K\ of the 
block cipher is n bits and satisfies n < r. Define 
the projection map tt k : {(). l} r —y {(). 1 } K where 
Kk{x 1,X 2 , ...,X r ) = (XI,X 2 , ■ ■ -,X K ). 

Algorithm 2 Block Cipher A uses Dynamic Keys 

Alice’s Encryption Algorithm: 

Alice executes with Bob a signed, DHM 
exchange to share secrets T(0) and C_i 

Initialize i = 0 

while(more plaintext AT to encrypt) 

{ 

Dynamic key A',: = ° 4'(r ij0 E u ... T i)n _i) 

Encrypt C t = Kf 

( Atj©C,;_i is encrypted with key A4 ) 
Algorithm 1 computes element r(i + l) 
Increment i 

} 

Bob’s Decryption Algorithm: 

Bob executes with Alice a signed, DHM 
exchange to share secrets T(0) and C_i 

Initialize i = 0 

while(more ciphertext Ci to decrypt) 

{ 

Dynamic key K t = 7t k o T(r ij0 Tj^ ... r ijn _!) 

Decrypt Mi = C,_i ® T> A (Ci, Kf 
( Ci is decrypted with dynamic key ATj ) 

Algorithm 1 computes element r(i + l) 
Increment i 

} 

Note that cipher block chaining is used. 

3 AES-128 and SHA-512 
Key Generator Updating 

A variation of algorithm 2 is described. AES-128 
is the block cipher. SHA-512 [27] acts as the one¬ 
way hash function <I> that performs the key genera¬ 
tor updating and one-way hash fir that derives the dy¬ 
namic key. Two steps of algorithm 2 change slightly: 
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Dynamic key Ki = 7r K ° IV ... W 

and Algorithm 1 computes element T(i + 1). 

One SHA-512 digest creates four distinct 128-bit 
keys. The encryption and decryption execution speeds 
can be increased by performing these two steps only 
when i mod 4 = 0. Define function II : {0,1, 2, 3} x 
{0, l } 512 -> {0,1 } 128 as II(a, (.x 0 , xi,..., X 511 )) 

= (^-128a; 3'128a+l; • • • , ®128a+127) where a G 

{0,1,2,3} and (xo,x 1: ... ,x 511 ) ® {0, l} 512 . Set 
n = 1024 so that for all i and for each j G 
{512,..., 1023} then V = r mj . Set = T' = 
SHA-512. 

Algorithm 3 AES-128 uses a SHA-512 Key 
Generator Update 

Alice’s Encryption Algorithm: 

Alice executes with Bob a signed, DHM 
exchange to share secrets T(0) and C_ 1 

Initialize i = 0 

while (more plaintext AT: to encrypt) 

{ 

Set a = i mod 4 

if (a == 0) then compute 

Pi /4 = W V . . . T^1023) 

Set dynamic key K\ = II(a, Pi/ 4 ) 

Encrypt C* = £aes{M ,: ® Vi, Ki) 

If (a == 0) then algorithm 1 
computes element T(z + 1) from T(i) 

Increment i 

} 

Bob’s Decryption Algorithm: 

Bob executes with Alice a signed, DHM 
exchange to share secrets T(0) and C_ 1 

Initialize i = 0 

while(more ciphertext C; to decrypt) 

{ 

Set a = i mod 4 

if (a == 0) then compute 
Pi/4 = Wo IV ... r ijl023 ) 

Set dynamic key Ki = II(a, Pi/4) 

Decrypt Mi = Vi ® T> A Es(Ci, Ki) 

If (a == 0) then algorithm 1 
computes element T(z + 1) from T(i) 

Increment i 

} 

Note that cipher block chaining is used. 

The use of key generator updating in algorithm 3 
should not be confused with the existing block cipher 


modes of operation such as ECB, CBC or CTR. First, 
each of these modes still relies on a static key. Even 
CTR - where Ki = Eg (nonce || i, K) and the ith 
block of ciphertext is C, = Mi ® K - relies on the 
static key K. Second, key generator updating uses 
values of n for the key generator that can be substan¬ 
tially greater than the block and static key size. That 
is, usually n 3 > |AT,| and n 3 > n. For example, in 
algorithm 3, n = 1024, while the key and block size 
= 128. As explained in section 5, the periodicity of 
the orbit of dynamic keys produced by a key genera¬ 
tor can be substantially greater than 2 K . 

Each of these modes puts an upper bound on the 
amount of entropy increase, based on the block size 
or key size. In the case of ECB, no entropy increase 
occurs. In the case of CBC, the entropy increase is 
bounded above by the size of the message space. In 
the case of CTR, the nonce concatenated with the 
counter i is bounded above by the size of the message 
space and the resulting key orbit is bounded above by 
the size of the key space. Since n can be substantially 
greater than the key or block size, a greater entropy 
increase can occur with key generator updating. Fur¬ 
thermore, nothing precludes combining key generator 
updating with the CBC mode or the CTR mode. Both 
algorithms 2 and 3 show key generator updating com¬ 
bined with the CBC mode. 

4 Concrete Complexity and 
One-Way Preimage Functions 

Based on Turing machines, this section introduces 
concrete complexity and then defines a one-way 
preimage hash function. The first goal of our new defi¬ 
nitions is to avoid the difficulty that asymptotic defini¬ 
tions of complexity cannot model one-way hash func¬ 
tions used in practice. A second longer term goal is to 
further develop an appropriate framework to charac¬ 
terize one-wayness, by applying powerful tools from 
dynamical systems to the Turing machine. 

As a brief review, a Turing machine is a triple 
(Q, E, rj) where Q is a finite set of states that does not 
contain a unique halting state h. When machine exe¬ 
cution begins, the machine is in an initial state s G Q. 
E is a finite alphabet whose symbols arc read from 
and written to a tape T : Z -A E. The alphabet sym¬ 
bol in the kth tape square is T(k). —1 and +1 repre¬ 
sent advancing the tape head to the left or right tape 
square, respectively. 7 / is a program function, where 
7 / : Q x E — > Q U {/z} x E x { — 1, +1}. 

For each q in Q and a in E, the instruction 
r)(q, a) = (r, /3, x) specifies how the machine exe¬ 
cutes one computational step. When in state q and 
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reading alphabet symbol a on the tape: the machine 
jumps to state r. On the tape, the machine replaces 
alphabet symbol a with symbol (3. If x = — 1 or 
x = + 1 , then the machine moves its tape head one 
square to the left or right, respectively, and subse¬ 
quently reads the symbol in this new square. If r = h, 
the machine reaches the halting state and stops exe¬ 
cuting. 

Definition 4 Concrete Complexity 

For machine input u £ £*, let |tt| he the length of 
u. Let g : N — > N be a function of\u\. Machine Ad = 
(Q, S, rf) has concrete, complexity C ( g , er, g, |rt|) if the 
following three conditions hold: (1) On input u, ma¬ 
chine Ad takes at least pd^l) computational steps to 
halt. (2) Ad’s alphabet satisfies |£| < a. (3) Ad’s 
states satisfy \ Q\ < q. 

Remark 5 

Parameters a and n impose limits on the size of the 
Turing machine program // in order to eliminate pre- 
computations (table lookups). Precomputations are 
assumed to be encoded into p and/or the input u; oth¬ 
erwise, our theoretical definitions won’t adequately 
model security practice. 

Remark 6 

Observe that prior complexity definitions depend on 
the meaning of algorithm. For any given algorithm, 
there can be an infinite number of Turing machines 
that implement the algorithm, where each of these 
machines have Shannon’s State x Symbol com¬ 
plexity [28] such that |Q||£| > go. The distinction 
between a machine’s implementation of an algorithm 
and an abstract algorithm can lead to deep subtleties 
[29, 30, 31]. In [32], a blackbox is constructed with a 
self-modifying, parallel machine that utilizes quantum 
randomness; this incomputable method raises more 
questions about the differences between an algorithm 
and the ’’machine” that executes it. Also, see [33]. 

Remark 7 

From a practical perspective, side channel attacks typ¬ 
ically exploit the particular machine implementation 
of an algorithm. (For example, see [14].) This fur¬ 
ther supports our position that a complexity definition 
should be based on the machine, not the algorithm. 

Informally, h : {0, l} <iV —>• {0, l } 9 is an 
(. N , a, g, r) one-way, preimage function if A and B 
hold: 

A. A Turing machine Ad exists that on input x out¬ 
puts h(x) in a feasible number of computational 

steps. 
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B. Any probabilistic, Turing machine V - that is 
given y £ { 0 , l } 9 as input and searches for an 
inverse image point x £ h~ 1 (y) - only succeeds 
with exponentially low probability under the fol¬ 
lowing 3 conditions: (1) Turing machine V has at 
most a alphabet symbols. (2) Turing machine V 
has at most g states. (3) There is some fixed de¬ 
gree r and each success takes at least \x\ r steps. 

In our formal definition, no assumptions are made 
about collision resistance. 

Definition 8 One-Way Preimage Hash Function 
Let a, g,r £ N. Let N £ N U {wo}. A function 
h : {0, l} <Ar —y {0, l } 9 is called an (N, a, g, r ) one¬ 
way, preimage hash function with digest size q if the 
following two conditions hold: 

A. Easy to evaluate: There exists a polynomial 
time Turing machine A such that Ad(x) = h(x) 
for every x £ { 0 , 1} <N . 

B. Computationally hard to invert: For every 
probabilistic Turing machine V and every n such 
that q < n < N the probability of the set { x £ 

{ 0 ,l} n : V{h{x) l n ) £ h~ l {h{x)) and V 
has concrete complexity C(n r ,cr,g, 

| h[x) l n |) } < 2-f. 

The following remarks help clarify definition 8 . 

Remark 9 

cco is the first countably infinite ordinal. When N = 
uq, this implies the domain of h is { 0 , 1 }* and in this 
case definition 8 is asymptotic. 

Remark 10 

The adversary’s machine V receives h(x) as input and 
the auxiliary input l n which is the binary length of x. 
The purpose of the auxiliary input l n is to eliminate 
the possibility that a function is speciously considered 
one-way because machine V does not have enough 
time to print its output. For example, the function 
h(x) = y, where y = logn of the least significant 
bits of x with |cc| = n. No machine can find a point of 
h~ 1 {y) in time polynomial in \h(x)\; however, there 
is a machine which finds a point of h^ 1 (y) in time 
polynomial in \x\. 

Remark 11 

For our purposes only n > q is needed in algorithms 
1 and 2. There is some k < q such that the adversary 
can brute force compute h(x) for every x £ { 0 , lp 
whenever j < k. The number k obviously depends on 
the adversary’s computational resources. 
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Remark 12 

The one-way notion is probabilistic. The definition 
does not state that it is impossible for the adver¬ 
sary’s machine V to find a point in the inverse image 
/i -1 (h(x)); it says that V has a probability < 2 “ 2 
of finding a point in the inverse image, where the ma¬ 
chine takes at least n r computational steps to find it. 
Here p(|tt|) = (|it| — q) r , where u = h(x ) l n . To 
’’succeed”, the adversary’s machine V only has to find 
some point in h~ x (h(x)). V is not required to find 
the x that machine M. used. Furthermore, the proba¬ 
bility distribution is uniform over the input x and the 
possible coin tosses of the adversary’s machine V. 

Remark 13 

_ n 

The intuitive reason for the upper bound 2 2 on the 
probability stems from the birthday paradox: given 
a randomly selected digest y, it should be compu¬ 
tationally more difficult for Eve to find a preimage 
point x G h~ 1 (y) n {0, l} n , than for Eve to ran¬ 
domly select preimage points xi,X 2 , ■ ■ ■ ,x m , com¬ 
pute h(x 1 ), h(x 2 ),..., h(x m ) and search for a colli¬ 
sion in {h(xi),h(x 2 ), ■ ■ ■, h(x m )}. The formal rea¬ 
son is based on number theory and dynamical systems 
tools applied to Turing machines, which is beyond the 
scope of this paper. 

Example 14 

Let 4 > 5 i 2 : {0, l }< 2128 —> {0, l } 512 denote 
SHA-512. For $ 512 , N = 2 128 and q = 512. It 
is unknown whether SHA-512 satisfies our definition 
of one-way preimage function, for some values of r, 
a and g. In this regard, it is helpful to mention the 
recent biclique preimage attack [34] on a reduced 50 
rounds of 4 * 512 : their preimage complexity estimate of 
2 511 ' 5 still supports this possibility and is far - beyond 
today’s computing power. In practice, input strings 
> 2 128 bits do not arise. However, based on prior, 
typical definitions of one-wayness, SHA-512 fails to 
be a one-way hash function because its domain is not 
{0,1}* and consequently cannot satisfy their asymp¬ 
totic requirements. 

5 Some Analysis of Algorithms 
1,2 and 3 

Let / : X —> X be a function on some topological 
space X. The orbit of the point p G X is 0(p, /) = 
{P, f(p), f 0 f(p), ■ ■ ■ f n (p), ■■■}■ In general, the 
orbit may be an infinite set. In algorithms 1, 2 and 
3, the space X = {0, l} m for some m G N, so our 
key orbits and key generator orbits arc finite. Point 
is a periodic point if there exists j G N such 


that f J (p) = p. Point x G X is eventually periodic 
if there exists k G N such that f k (x) = p and p is a 
periodic point. 

Suppose / : {0, l} m -A {0, l} m is a function. 
The pigeonhole principle implies that every point x G 
{ 0 , l} m is eventually periodic with period at most 2 m . 
Each function / : {0, l} m —> {0, l} m induces an 
equivalence relation on the set {0, l} m as follows. If 
x and y arc eventually periodic in the same orbit with 
respect to /, then x and y arc called eventually peri¬ 
odic equivalent, expressed as x ~ y. Let [.x] denote 

the equivalence class {y G {0, l} m : x ~ y }. 

The key generator orbit 0(T , 4>, Ai) = {7r,j°r(i) 
G {0, l} 9 : T(i) is computed by Algorithm 

1}. The dimension of the key generator orbit is the 
number of points in 0(T, 4>, *4i). Also, A-i and As 
denote algorithms 2 and 3, respectively. 

Definition 15 Let cf) : {0, 1} <N -A {0, l } 9 be a hash 
function with digest size q. (No assumption is made 
about (j) ’s one-wayness.) <i> has a periodic point p G 
{0, l} 9 with period m if m is the smallest, positive 
integer such that f m ( p ) = p. 

The periodic orbit contained in 0(T, 4>, A\) has 
aperiod < \0(T, 4>, Ai)|. One of our tools uses theo¬ 
rem 16 to provide an algorithm for finding a preimage 
attack on 4* based on the eventually periodic equiva¬ 
lence classes. 

When q > k where k = \Kj\, there is an impor¬ 
tant subtlety to mention. At a first glance, one might 
expect that the sequence of dynamic keys A'i, K). ■ ■. 
should always have a period < 2 K because the set 
{K\, K -2 , ■ ■ ■ AV+i} must have a collision. This is 
even further magnified by the birthday paradox that it 
is likely for the sequence I\ \. A' 2 ,..., iT p«-] to con¬ 
tain two identical dynamic keys. If this dynamic key 
sequence were produced by a discrete, autonomous 
dynamical system / : {0,1} K -A {0,1} K , then the 
first collision would determine the periodicity of the 
key sequence. Instead the orbit 0( T, 4>, A\) C 
{0, l } 9 is used to derive dynamic keys A'i, K'j, 
Thus, the dimension of 0(T, 4>, A{) can be much 
greater than 2 K , particularly when q is substantially 
greater than n. Note that in algorithm 3, k = 128 and 
q = 512. This subtlety leads us to theorem 16. 

Theorem 16 Suppose z G {0, l} 9 has period rn with 
respect to <fi. Then z has a preimage attack, by com¬ 
puting to — 1 iterations of <f. 

PROOF. Compute x = f m ~ 1 (z). Then <f(x) = 
f m (z) = z. □ 
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The following definition helps analyze algorithms 
2 and 3. 

Definition 17 A hash function cp : {0, l} <Ar —»• 
{0, l} 9 is regular on its subdomain {0, l} fc with k > q 
if for every y G {0, l} q , then the intersection of the in¬ 
verse image cp~ 1 (y) and {0, l} fc have the same num¬ 
ber of points. This means that for every y G {0. 1}' 1 , 
then\(j)- 1 (y)n{0,l} k \=2 k - q . 

Theorem 18 Suppose hash function 6 : {(). 1} <N —> 
{0, l} q is regular on subdomain {0, I } q . Then every 
point in {0, l} 9 is a periodic point and lies in a unique 
periodic orbit with respect to cp. 

PROOF. By reductio ad absurdum, suppose x G 
{0, l} 9 is not a periodic point. Let k be the smallest 
positive natural number such that y = (p k (x) is a peri¬ 
odic point. Let rn be the period of y. Then </> _1 (y) 
contains at least two points (p m ~ l {y ) and cp k ~ l {x). 
These two points contradict the regularity condition 
of <f>. The uniqueness of x’s periodic orbit immedi¬ 
ately follows from the equivalence relation ~ that cp 

<t> 

induces on {0, l} 9 . □ 

When f satisfies the regularity condition on sub- 
domain {0,11 9 , theorems 16 and 18 are useful be¬ 
cause there is no need to search for clever preimage 
attacks. Instead, the size and number of the periodic 
orbits of <f) on {0,l} 9 can be studied. Corollary 19 
states that 2 q equals the sum of the periods of each 
periodic orbit with respect to <p. 

Corollary 19 Let function cp : {0, l} <iV —> {0, l} 9 
be regular on subdomain {0, l} 9 . Then |[x]| = 2 9 

M 

where the sum ranges over each equivalence class [.x] 

induced by ~ and | [x]| is the number of points in \x\. 

<t> 

That is, | [a;] | is the period of x with respect to cp. 

PROOF. ~ is an equivalence relation on {0, l} 9 . 

<t> 

Apply theorem 18. □ 

Corollary 19 creates a counting tool for find¬ 
ing the probability that a point lies in a periodic 
orbit with period m. As a simple example, let 
S : {0, l} 8 —> {0,1 } 8 denote the substitution 

box used in AES. Then ~ induces the five equiv- 

5 

alence classes [0], [1], [4], [11], [115] on {0, l} 8 . 
The equivalence class [0] has 59 elements. This 
implies 5 59 (0) = 0 since S is a bijection. Ob¬ 
serve that [11] = {43,241,161,50,35,38,247,104, 
69,110,159,219,185,86,177,200,232,155,20,250 


45,216, 97,239,223,158}. Also, |[1]| = 81, 

| [4] | = 87, | [11] | = 27 and |[115]| = 2 and 
[oil + l[l]l + l[4]| + |[ 11 ]| + |[115]| = 2 ». 

During a single execution of algorithm 2, there 
is a low probability of encrypting two distinct blocks 
with identical keys. In other words, when i f j, the 
event K, = Kj has a low probability. The follow¬ 
ing le mm a helps sharpen the expression ’’low proba¬ 
bility”. 

Lemma 20 Suppose 4>{0, 1} <N —r {0, l} 9 is a 
( N , a, Q,r + m. + 2) one-way preimage function satis¬ 
fying the regularity condition on subdomain { 0 , l} 9 , 
where r,m > 1 , N = n + 1, and a = q and 
q = q 2 . Suppose machine A4 computes 4* on any in¬ 
put x G {0,1 } q in at most q m computational steps. 
Suppose Alice randomly chooses x G {0, l} 9 and 
computes 4>(x) = y. Suppose Eve only sees y. Set 
S = {x G {0, l} 9 : |0(r, 4>, Ai)| < q r and 
ir q o r(0) = x}. Then |<S| < 2~2. 

PROOF Outline. Using machine A4, Eve com¬ 
putes the orbit [y, 4>(y), 4> 2 (y),... ] with at most 
q r iterates. After completing the computation of 
each iterate ( l> k {y). Eve searches for a collision in 
{y, 3>(y), < F 2 (y), ..., <F fc (y)}. If a collision is found. 
Eve’s machine halts. If Eve’s machine reaches 4 >9 ' (y) 
and does not find a collision, then Eve’s machine halts. 

When there is a collision in {y, <F(y), ..., 
<f> fc (y)}, by theorem 18, the regularity condition im¬ 
plies that y lies in this periodic orbit (equivalence 
class). Let a = |[y]|. Then theorem 16 implies 
x = ( l ,a ~ 1 (y) is the preimage point sought by Eve. 
If|S| >2 2 , then Eve’s machine will find preimage 
point x in less than q r+m ~ 1 log q computational steps 

_ q 

with probability greater than 2 2 , contradicting that 
<f> is a (TV, a, q, r T m T 2) one-way preimage func¬ 
tion. □ 

Example 21 

Consider $ 512 , where q = 512. Assume m = 3 be¬ 
cause 512 3 steps is a more conservative upper bound 
for a TM computing $512 on x G {0, l } 512 than 512 2 . 
If $512 satisfies the regularity condition on subdo¬ 
main {0, l } 512 and $512 is a (2 128 , q, q 2 , 9) pre-image 
hash function, then the probability is < 2~ 256 that 
the key generator in algorithm 3 has an orbit satisfy¬ 
ing \0(T, 4 * 512 , As)| < q 4 \ with probability at least 
1 — 2 ~ 256 , whenever j f k, then r(j) f T(k) for an 
encryption length up to 8.5 billion bytes. Seeing two 
identical keys that encrypt distinct blocks requires a 
SHA-512 collision after only 134,217,728 iterations 
of SHA-512. Although no proof exists of 4 * 512 ’s one¬ 
wayness, (2 128 , q, q 2 , 9) seems conservative based on 
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the biclique preimage attack [34] that depends on a 
reduced 50 rounds instead of 80. 

Remark 22 

Standard block cipher methods must not reveal the 
static key to Eve. This is equivalent to not reveal¬ 
ing any dynamic key to Eve. To construct future 
dynamic keys Kp. such that k > j, Eve must find 
the preimage point T (j). In algorithm 3, suppose 
a processor backdoor leaks four consecutive 128-bit 
dynamic keys /), = K } K J+ \ Kj +2 Kj + 3 to Eve. 

4 

Even after the leak, constructing future keys requires 
Eve knowing F(j). For algorithm 3, this involves 
considerably more computational steps than finding 
a single, preimage point x G {0, 1} 1024 such that 
4 * 5 i 2 (a:) = Pi- If 4*512 is regular on subdomain 

{0, l} 1024 , then | 4 > 5 i 2 1 (/3j)| = 2 512 . The regular- 

4 

ity condition implies Eve must guess T (j) from 2 512 
possible preimage points. When Eve attempts to find 
dynamic keys that precede Kj, she has even less infor¬ 
mation available than when she is attempting to con¬ 
struct future keys. While the last n — q bits of T (j) 
are invariant, even if Eve knows T(j), this doesn’t 
enable her to immediately capture T (j — 1 ) because 
4*512 (r^—1,0 • • • = Tj,o . . .Tj^q-l- 

Remark 23 

A Boolean function / : {0, l} n —> {0,1} can 
be expressed as a polynomial f(x \,..., x n ) = 
E c a xi ai - • • X n an over ¥ 2 [xi, ..., x n \ / (xj - 
ae{ o,i} n 

xi, -.. ,x 2 - x n ), where c a = E f( x 1 , •■■, x n) and 

x<a 

x < a i ft x % < d j for each i. The algebraic degree of / 
is defined as deg f = max{/u;f (a) : a G {0, l} n , c a / 
0}, where wt(a) is the Hamming weight of a. Con¬ 
sider functions / 1 , fi ■ ■ ■ f n '■ {0, l} n —> {0,1} and 
function F : {0, l} n —>• {0, l} n , defined as F(x) = 
/ 2 (x),..., The algebraic degree of 

F = ma x{deg fi, deg / 2 , ..., deg f n }. For a 
static AES key K, the AES encryption function £k : 
{0, l} 128 —> {0, l} 128 has an algebraic degree < 128 
and £j< is a function of 128 Boolean variables. It 
is well-known that a Boolean function’s resistance to 
differential cryptanalyis and higher order differentials 
depends on its algebraic degree and how quickly its 
degree can be reduced by taking discrete derivatives 
[35, 36, 37], 

Set M = CAT. 4>, A:\)\. For each dynamic key 
Kj, let £k, : {0, l } 128 —> {0, l} 128 , denote the AES 
encryption function. During execution of algorithm 
3, there arc AM distinct functions £r 0 ■ ■ ■ £k 4M -i > 
where encryption function £r 0 is applied to plain¬ 
text block M.q, encryption function £r { is applied to 


block M 1 , and so on. This sequence of encryptions 
induces a function /p : { 0 , 1 } 512M -» { 0 , 1 } 512M ? 
where /p = (/ 1 , / 2 ,..., hun)- As discussed in ex¬ 
ample 21 , even for an extremely rare event such as 
a collision after only 134,217,728 iterations of SHA- 
512 (if such an orbit exists), the induced /p will be 
a function of 68,719,476,736 Boolean variables ver¬ 
sus 128 Boolean variables for £r. The cipher block 
chaining and key generator orbit create a composition 
of the AES encryption functions £r 0 , £r 1 , ...; for 
example, C 2 = £r 2 (M 2 0 (A4i © £r 0 (Mo 0 

C- 1))). Thus, fi+i28k, ■ ■ ■ /i28(fc+i) ai' e a function of 
the 128(fc + 1 ) variables x\, ... ,x 12 8 (/c+i) for 0 < 
k < AM. Based on the work of Boura, Canteaut [38] 
and Biss [39], we conjecture that for most key gener¬ 
ator orbits the degree of /p is at least M. 

6 Algorithms 2 and 3 Stop a 
Generic Block Cipher Attack 

The dynamic keys, derived in algorithms 2 and 3, help 
stop Huang and Lai’s generic block cipher attack [21], 
which is described below and shown in algorithm 24. 
The following list describes the symbols, used in their 
attack algorithm 24. 

P plaintext 
C ciphertext 
n block size 
K master key 

k master key size 

R number of rounds 

S non-linear layer 
L linear layer 

K r subkey used in round r 

X r input block to round r 
where X° = P 

Y r output block of the key mixing in 
round r 

Z r output block of the nonlinear 
layer in round r 
Z£ i th subblock in Z r 

S i is the internal state that can be calculated from 
P only with k\ bits of subkeys, where k\ is the max¬ 
imum smaller than k that can be obtained. Similarly, 
S -2 is the internal state that can be derived from C only 
with (other) k\ bits of subkeys. For any block cipher, 
the states of S\ and S 2 can be found. The attack algo¬ 
rithm has two stages: 

1. A meet-in-the-middle stage generates the candi¬ 
date list containing 2 k ~ M keys, where M is the 
met intermediate size. 
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2. A check stage that examines the keys in the can¬ 
didate list. 

Line numbers have been added to the attack algo¬ 
rithm in [21] to help explain how algorithms 2 and 3 
hinder this attack. 

Algorithm 24 Generic Block Cipher Attack 

Data: [—]+l (plaintext, ciphertext) pairs 
Result: the output key K 

1 for each value in the 1st k\ key bits 
{ 

2 compute S\ from P with these k\ bits 

3 for each value in the remaining 
k — k\ key bits 

{ 

I — I 

4 compute ZC 2i from 5*1 

5 store Z 0 i2i in a table 
corresponding to the guessed key 

6 } 

7 } 

8 for each value in the last k\ key bits 
{ 

9 compute S 2 from C with these k\ bits 

10 for each value in the remaining 
k — k\ key bits 

{ 

11 compute from S 2 

12 if Z 0 LtJ corresponding to the 
guessed key is in the table 

{ 

13 add guessed key to candidate 
list 

14 move onto the next guess 

15 } 

16 else move onto the next guess 

17 } 

18 } 

19 Check keys in candidate list with 
other [^] (plaintext, ciphertext) 
pairs 

Algorithm 24’s method of using a candidate 
key list to find the static key of the block ci¬ 
pher is not effective against cryptographic algorithms 
2 and 3. To illustrate this, in algorithm 3, af¬ 
ter each 64 byte block is encrypted, the candidate 
list of keys changes because the next four 128-bit 


keys Kj,Kj + i, Kj + 2 , Kj + 3 are derived from an up¬ 
dated key generator Eyo ... Ey 102,3 where the aver¬ 
age Hamming distance between Tyo ■ • • Tysu and 
Tj- 1,0 ■ ■ ■ Ty— 1,511 is 256. 

Consider algorithm 3, encrypting 25,600 bytes 
of voice data per second. At this rate, a one 
hour phone conversation requires a key genera¬ 
tor orbit (Toy ... Toyn), ^• 512(^0 • ■ ■ Toyn), ... 
$ 512 1440000 (r 0 y r 0j511 ) with size 1,440,001. If 
a collision occurred in this orbit during a one hour 
phone call, then theorem 16 provides a devastating, 
preimage attack on SHA-512 with at most 1,440,000 
iterations of SHA-512. Based on an extremely 
low probability of this rare event (such orbits may 
not even exist), a collision would also imply that 
SHA-512 does not satisfy any reasonable values of 
(2 128 , a, p, r) preimage complexity. ’’Reasonable” 
means not constraining Eve’s machine V so much that 
she cannot compute, for example, SHA-512. Con¬ 
sider g = 1 , so machine V can have only one state. 

Recall that the biclique preimage attack [34] - on 
a reduced 50 rounds of SHA-512 instead of the com¬ 
plete 80 - has an estimated preimage complexity of 
2511.5 p rom this work, it is considerably more likely 
that an orbit 0(T, $512, A3) has a size far greater 
than the number of SHA-512 iterations needed to 
provide a complete encryption for any foreseeable ap¬ 
plication. In this case, the assumption that there are 
[A] (plaintext, ciphertext) pairs does not 
hold for algorithm 3. Furthermore, the lack of [-] 
(plaintext, ciphertext) pans invalidates the 
effectiveness of the loop composed of lines 1 through 
7 and the loop composed of lines 8 through 18. 


7 Speed Testing of Algorithm 3 

Algorithm 3’s execution speed is compared to stan¬ 
dard AES-128. Figure 1 shows 10,000 speed tests, 
measured in microseconds, where AES-128 uses a 
static key to encrypt 64 bytes of random plaintext. 



Figure 1: Static key AES-128 encrypts 64 bytes. 
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All speed tests were performed on an Apple Mac 
mini, running OSX 10.9.2 with a 2.5 Ghz Intel Core. 
The median was selected over the sample mean [40] 
in order to filter out the effects of OSX interrupts. All 
random plaintext, keys and key generators were cre¬ 
ated from device/urandom. 

Figure 2 shows 10,000 speed tests, measured in 
microseconds. In each of these tests, algorithm 3 en¬ 
crypts 64 bytes of random plaintext. 



Figure 2: Algorithm 3 encrypts 64 bytes. 


generator updating and dynamic key derivation from 
the 1024-bit key generator. Figures 3, 4 and 5 show 
these tests. 



0 20 40 60 80 100 


Time (jxs) 

Figure 5: SHA-512 hash of a 1024-bit key generator. 

Overall, algorithm 3 increases the execution time 
by almost 70 percent over standard AES-128 for these 
64 byte tests, as indicated in figures 3, 4 and 5. The 
128-bit key expansion uses almost 39 percent of this 
increase in execution time. 




in 


40 60 

Time (jxs) 


Figure 3: Four AES 128-bit key expansions. 
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Figure 4: One key generator update with SHA-512. 


8 Summary and Future Research 

In algorithms 2 and 3, a successful attack that obtains 
a sequence element T(j) of the key generator requires 
at least a preimage attack on a one-way preimage hash 
function, where no direct information about the one¬ 
way preimage digest is revealed to Eve. When the 
one-way preimage hash function satisfies our regular¬ 
ity condition, obtaining F(j) requires Eve guessing 
the correct preimage point from all possible preim¬ 
age points; when the key generator element T(j) has 
length n bits, and the digest size is q, there are 2 n ~ q 
possible preimage points. Furthermore, if Eve suc¬ 
cessfully captures r(j), she still must find additional 
preimage attacks to obtain preceding dynamic keys. 
The complexity is lower for a standard block cipher 
because Eve is searching for a static key used directly 
by the key scheduling. 

Future research will focus on the theoretical se¬ 
curity of computable key generators, which depends 
on the existence of one-way hash functions and a bet¬ 
ter understanding of their dynamical behavior. In this 
regard, a number theoretic method has been designed 
that satisfies our regularity condition and the propaga¬ 
tion criteria [41]. 


When algorithm 3 is executed, the key expansion 
is executed for each 16 byte block because AES en¬ 
crypts each block with a different 128-bit key. This 
motivates testing how much time is due to expansion 
of the 128-bit key versus how much time is due to key 
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